With estimated worldwide cyber crime losses in 2011 over $388 billion, corporations, both large and small, are focusing considerable attention towards the security of their physical infrastructures as well as their outward facing web applications. While most physical infrastructures have been secured, there are still many critical security vulnerabilities in the majority of web applications.

In this “Case Study” column I will share some takeaways based on my involvement in two recent remediation engagements as a basis for understanding the reasons behind the continued trend in vulnerable web applications. I will also touch briefly on the testing of web applications for security vulnerabilities and remediation and development techniques employed to ensure security.

__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

There are probably a few common problems here:
1. My understanding is that the web server should be run as nobody on a UNIX-like/clone system. Is such an option available for Windows?
2. Some run the applications in a chrooted environment. Is this method known by others and is it available for Windows?
3. What is the percentage that take time to set permissions on directories from write to access?